The storage overhead is affected by the degree of the network. The degree of the network is usually defined as the average number of immediate neighboring nodes of a given node. It is proportional to the density of nodes in a network and may be a value from 10 to 20 for a reasonably dense network [129]. Here we use the same assumption that the degree of the networks in LEAP [29] and our protocol is d. The storage overhead of the time-based scheme [1] and RGM [121] are not related to the degree of the network.
In LEAP, each node stores three keys for each neighbor, including a pairwise key, a cluster key and a key chain with L values. In addition, each node stores a network key and a master key. The total number of keys that each node stores is (3d + L + 2).
In the time-based key management scheme, each node is preloaded with an individual key shared with the BS and one initial key and m master keys. All of the other keys are established based on the preloaded keys. According to our analysis in Section4.2, this scheme cannot guarantee 100% key connectivity.
generation keys for each future generations. A node whose generation window is
Gw may establish communication with at most (Gw − 1) next generations Hence, each node has to store (Gw − 1) × n + m keys.
In the proposed protocol, the storage is determined by the memory of a node and generations that a node can survive. The number of generations is approximately equal to the number of node additions. Therefore, the higher the frequency of node additions, the larger is the number of generations that a network has. According to our scheme, each node is preloaded with a Network key, an individual key, an initial key and Gw − 1 masked initial keys. So the total preloaded number of key materials is Gw+2. After the phase of pairwise key establishment, each node stores
d + 2 keys, including d pairwise keys and an individual key and a Network key.
Suppose a sensor node surviving 100 generations has to store 100 keys including one initial key and 99 masked initial keys. These node can establish pairwise keys with nodes in 199 generations with 100% probability. The modern sensor nodes such as MICA-Z have 128KB program memory, 4KB runtime memory, and 512KB external memory [130]. Suppose the size of a key is 128bits, our scheme requires only 1.6KB memory. Our scheme has a reasonable storage requirement for modern sensor nodes.
Computation and communication cost
In LEAP [29], the time-based scheme [1], RGM [121], and the proposed solution, each node broadcasts a hello message to find its neighboring nodes when it joins the network. Both time or energy consumption are the same in this step for these four schemes. However, time and energy consumption varies in these four schemes for Link key establishment. In LEAP, all the nodes are deployed at the same time. We take nodes u and v as example, u and v establish Link key with algorithm
Kj
uv = fKuj(IDv) if IDu < IDv or K
j
vu = fKvj(IDu) if IDu > IDv. While in the
proposed solution, nodes are deployed to network generation by generation. Neigh- boring nodes deployed in the same generation establish the pairwise key with the same algorithm as that in LEAP. While for the node u deployed at generation g and another node v deployed at generation h(1 ≤ g < h ≤ g + Gw− 1), they calculate their pairwise keys with algorithm Kgh
uv = fKgh(IDu | IDv). We have to mention
Figure 4.7: Comparison of time consumption of LEAP and the proposed solution
guarantee 100% key connectivity and the established pairwise key does not exclu- sively belong to the two generations. In RGM, all the shared generation keys con- tribute to the pairwise key. The pairwise key is the hash value of the concatenation of all the shared generation keys. The calculation does not increase computation overhead while strengthening the security. However, RGM does not guarantee that any two nodes share at least one generation key. That is, it cannot reach 100% key connectivity probability. It does not consider path key establishment as the basic random key predistribution scheme [3].
We suppose the degree of network varies from 10 to 20 with span 2 in LEAP and the proposed scheme. In the proposed scheme, we assume that half the neighboring nodes for a specific node are deployed in the same generation and the remaining neighboring nodes are deployed in the different generations. The length of ID of each node is 4 bytes and the key length is 128 bits. We run the pairwise key es- tablishment algorithm with MATLAB. Figure4.7 shows a comparison of the time consumption.
4.8 Conclusion
Although the LEAP key management mechanism is welcomed due to its multiple keying mechanism and apparently strengthens the security of ZigBee, the security of all types of keys is mainly dependent on that of an initial key. It is assumed that
the initial deployment phase is secure and the key is erased from sensor nodes after the initialization phase. However, the same key should be used again for node addi- tion after that phase while the new node can be captured before removing the initial key. A time-based key management scheme was proposed to eliminate the effect of disclosure of the initial keys. This scheme does disperse the damage resulting from the disclosure of the initial key with the cost of reduced key connectivity and other security vulnerabilities. We identified the security problems of LEAP and the time- based key management schemes and presented a robust key management scheme for multi-phase HWSNs. We identified security issues of the ZigBee specification in particular its key management mechanism and showed that the proposed robust key management solution can be directly used to enhance the key management ser- vices of the ZigBee specification. We demonstrated the advantages of the proposed solution with sound analysis, comparison, and simulation.
5
Keyed Hash Chain Based Key
Predistribution Scheme
5.1 Introduction
Many previous researches focus on flat topology of wireless sensor networks which comprise only homogeneous nodes. This type of network is simple and efficient small-scale networks, but, it lacks scalability. In a homogeneous network, the sensor node which performs the data aggregation and forwarding function will run out of power in advance because it receives higher traffic volume. This in turn leads to the collapse of the whole network. An alternative way to extend the network life is to randomly and periodically rotate the responsibility of the data aggregation function to all nodes as the scheme proposed in [131]. However, this rotation raises the requirement of stronger hardware capabilities. Both [132] and [133] demonstrated the performance bottleneck of homogeneous networks.
HWSNs consist of heterogeneous nodes, including a large number of low-end nodes and a small number of high-end nodes. Low-end nodes have a tiny mem- ory and very limited data processing capability; while high-end nodes have more storage space and stronger data processing capability. High-end nodes are deployed together with low-end nodes. They aggregate data and forward the aggregated data to the BS. Also, high-end nodes which work as cluster heads help the BS to manage
the network. Addition and revocation operations can be performed within a cluster. In this way, the influence of a compromised node can be localized within a cluster rather than affecting the whole network. Therefore, HWSNs provide scalability and security benefits.
As applications gain more ground, security issues in wireless sensor networks have attracted more concern. There have been several attempts to secure WSNs, although all of them have their pros and cons and none gives a satisfactory perfor- mance. Security is a challenging problem in WSNs due to the constraint on memory and energy at low-end nodes. Asymmetric cryptographic algorithms, such as RSA public key techniques, while applicable to wired networks even general ad hoc net- works, may not be suitable for sensor networks. It is well known that ECC can obtain the same security level as RSA with a shorter key length. A 160-bit ECC key has the same security level as a 1024-bit RSA key [134]. However, the research in [135] demonstrated that the Diffie-Hellman key agreement process using the El- liptic Curve asymmetric key algorithm in an ad hoc network is between one to two orders of magnitude larger than the key exchange process based on the AES sym- metric key algorithm in a regular non ad hoc network. Therefore, we approach the problem using Symmetric Key Cryptography.
In this chapter, we focus on the design of a key predistribution solution for HWSNs. The proposed solution is more efficient and effective. This solution sup- ports the establishment and renewal of five types of keys in the network because a single key can not satisfy different communication requirements. In the proposed solution, we utilize a keyed hash chain to reduce storage overhead. Unlike exist- ing keyed hash chain based schemes, sensor nodes store only commitments for the corresponding key chains. Even though one or more nodes are compromised, no se- cret information is disclosed. We define a new cluster mechanism which improves the key sharing probability between the sensors and their cluster head. All keys involved in this solution are symmetric keys.
The rest of this chapter is organized as follows: In Section5.2, we describe the HWSN model that is assumed throughout the chapter. In Section 5.3, we provide the full details of the solution. Then, we study the establishment of other types of keys in Section 5.4. We analyze the security and performance of the proposed
Figure 5.1: The network model of the proposed key predistribution scheme
solution in Sections 5.5 and 5.6 respectively. Finally, we summarize the work of this chapter in Section5.7.